Select Page

CIO QUARTERLY REPORT — May 2021

  1. Archives
  2. May 2021

Catching a phish.

Did you take the bait from our latest phishing drill? Phishing emails, sent by hackers and disguised to look real, can easily bait you to click a link.

If you click the link, you’re putting our patient and employee data at risk. Hackers use these phishing emails to gain access to our confidential data and often install software that causes damage to our systems. 

Learning to catch a phish.

About 4% of the general public unknowingly clicks a malicious link. If we look at HM phishing drills, we average a 17% click rate.

While our employees are getting better at recognizing a phish, we still have work to do. It’s our job to learn what to look for and report suspicious emails. Cyberattackers play on our emotions and things that are familiar to us.

“They use people’s fears, their sense of urgency or curiosity, or their need for reward, validation, or an entertaining distraction,” according to Menlosecurity.com. For example, in March there may be an increase in phishing emails related to taxes – because this is on the forefront of people’s minds.

Not taking the bait.

We’ve now completed our eighth phishing drill. These are exercises that test your ability to recognize a phishing email. February’s phishing drill played on our emotions by asking us to click a link to avoid conduct violations. How many took the bait? 37% of us clicked the link. 

If you teach a person to phish.

The best way to help protect our organization is to learn how to spot a phish.

“Email security is our number one job,” said Barry Beckett, chief information security officer. “Ninety-five percent of successful cyberattacks begin with a phishing email.” To show you all the red flags, let’s break down the April phishing drill. Always think before you click!

Phish Breakdown

Good catch.

If you’ve ever received a “Good catch!” message, you’re doing a great job staying vigilant and paying close attention to your emails. These are sent to you when you report a suspicious email, and it’s one of our planned phishing drills. If you ever report a suspicious email and it wasn’t a planned drill, then you may have helped prevent a real phishing scam. Reporting a suspicious email is one of the best ways you can help prevent a cyberattack.

Phish levels on the rise.

Since we started phishing drills last September, we’ve seen an upward trend in the number of reported suspicious emails.

As a reminder, if you get a suspicious email, here are a few ways to report it:

  • Desktop/laptop (preferred method): Click Report Phish PhishAlarm button on the Outlook toolbar.
  • Mobile: Tap the three dots by the sender’s name and tap the Report Phish icon.
  • Webmail/Office 365: Select the email. In the preview pane, click the three dots. Scroll down and click Report Phish.
  • Apps Center: The Report Phish button isn’t available, so forward the email to  spamspotting@houstonmethodist.org

You’re part of our defense strategy.

Protecting our data from malicious cyberattacks is a full-time job for our IT Security team, but we all play a significant role in keeping our patient data safe. This includes safeguarding computers, servers, mobile devices, networks, apps and most importantly, confidential patient and employee data. We use technical programs to help keep our data safe, but employee security awareness training is also a top priority. Here are few reasons why this is so important.

  • Health care organizations are a known target. According to Forbes.com, one individual’s personal health information is worth at least 25 times more than credit card information on the black market.
  • A 2020 Verizon Data Breach report showed a 71% increase in the past year in health care organizations dealing with stolen data, mostly due to phishing.
  • According to Lookout, a mobile security company, there was a 364% increase from 2019 to 2020 in phishing attempts. Phishing attempts are the most common and easiest way to damage an organization.

Keep your devices updated.

Keeping your personal and work mobile devices on the latest version available is one of the easiest and most effective ways to help prevent a cyberattack. Companies like Apple and Samsung look for security vulnerabilities, also known as holes, in their software that could exploit your personal information or infect devices. They then patch these holes with updates to your devices. When you get an alert to update your device to the latest version, it’s critical to do so as soon as possible. Not being on the latest version could also result in you losing access to HM resources, including email, from your mobile device.

How do I update my mobile device?
Apple iOS Users
Go to Settings > General, then Software Update. Tap Download and Install. For more detailed instructions, visit support.apple.com.

Android Users
Go to Settings and tap System, Advanced, System update. Your device will check for updates and you’ll be prompted to download files. For more detailed instructions, visit Samsung.com.